x-extend:
  schema: config-values.yaml
type: object
properties:
  internal:
    type: object
    default: {}
    properties:
      customClusterRoles:
        type: object
        properties:
          user:
            type: array
            items:
              type: string
            default: []
          privilegedUser:
            type: array
            items:
              type: string
            default: []
          editor:
            type: array
            items:
              type: string
            default: []
          admin:
            type: array
            items:
              type: string
            default: []
          clusterEditor:
            type: array
            items:
              type: string
            default: []
          clusterAdmin:
            type: array
            items:
              type: string
            default: []
        default: {}
      webhookCertificate:
        type: object
        properties:
          ca:
            type: string
            x-examples: [ "testca" ]
          key:
            type: string
            x-examples: [ "testkey" ]
          crt:
            type: string
            x-examples: [ "testcrt" ]
      clusterAuthRuleCrds:
        type: array
        items:
          type: object
          required:
            - name
            - spec
          properties:
            name:
              type: string
              minLength: 1
            spec:
              type: object
              required:
                - subjects
              properties:
                accessLevel:
                  type: string
                  enum: [User,PrivilegedUser,Editor,Admin,ClusterEditor,ClusterAdmin,SuperAdmin]
                portForwarding:
                  type: boolean
                allowScale:
                  type: boolean
                allowAccessToSystemNamespaces:
                  type: boolean
                limitNamespaces:
                  type: array
                  items:
                    type: string
                    minLength: 1
                namespaceSelector:
                  type: object
                  oneOf:
                    - required: ["labelSelector"]
                    - required: ["matchAny"]
                  properties:
                    matchAny:
                      type: boolean
                      enum: [true]
                    labelSelector:
                      type: object
                      minProperties: 1
                      properties:
                        matchExpressions:
                          items:
                            properties:
                              key:
                                type: string
                              operator:
                                type: string
                                enum: [In,NotIn,Exists,DoesNotExist]
                              values:
                                type: array
                                items:
                                  type: string
                                  minLength: 1
                                  maxLength: 63
                                  pattern: '[a-z0-9]([-a-z0-9]*[a-z0-9])?'
                            required:
                              - key
                              - operator
                            type: object
                          type: array
                        matchLabels:
                          additionalProperties:
                            type: string
                            minLength: 1
                            maxLength: 63
                            pattern: '[a-z0-9]([-a-z0-9]*[a-z0-9])?'
                          type: object
                subjects:
                  type: array
                  items:
                    type: object
                    required:
                      - kind
                      - name
                    properties:
                      kind:
                        type: string
                        enum: [User,Group,ServiceAccount]
                      name:
                        type: string
                        minLength: 1
                      namespace:
                        type: string
                        minLength: 1
                        maxLength: 63
                        pattern: '[a-z0-9]([-a-z0-9]*[a-z0-9])?'
                additionalRoles:
                  type: array
                  items:
                    type: object
                    required:
                      - apiGroup
                      - kind
                      - name
                    properties:
                      apiGroup:
                        type: string
                        minLength: 1
                      kind:
                        type: string
                        enum: [ClusterRole]
                      name:
                        type: string
                        minLength: 1
        default: []
      authRuleCrds:
        type: array
        items:
          required:
            - name
            - namespace
            - spec
          type: object
          properties:
            name:
              type: string
              minLength: 1
            namespace:
              type: string
              minLength: 1
              maxLength: 63
              pattern: '[a-z0-9]([-a-z0-9]*[a-z0-9])?'
            spec:
              type: object
              required:
                - subjects
              properties:
                accessLevel:
                  type: string
                  enum: [User,PrivilegedUser,Editor,Admin]
                portForwarding:
                  type: boolean
                allowScale:
                  type: boolean
                subjects:
                  type: array
                  items:
                    type: object
                    required:
                      - kind
                      - name
                    properties:
                      kind:
                        type: string
                        enum: [User,Group,ServiceAccount]
                      name:
                        type: string
                        minLength: 1
                      namespace:
                        type: string
                        minLength: 1
                        maxLength: 63
                        pattern: '[a-z0-9]([-a-z0-9]*[a-z0-9])?'
        default: []
    x-examples:
    - webhookCertificate:
        ca: castring
        key: keystring
        crt: certificatestring
      customClusterRoles:
        admin:
          - d8:user-authz:cert-manager:admin
          - d8:user-authz:cert-manager:editor
          - d8:user-authz:cert-manager:user
          - d8:user-authz:cloud-provider-openstack:user
          - d8:user-authz:ingress-nginx:editor
          - d8:user-authz:node-manager:user
          - d8:user-authz:prometheus-metrics-adapter:editor
          - d8:user-authz:prometheus-metrics-adapter:user
          - d8:user-authz:prometheus:editor
        clusterAdmin:
          - d8:user-authz:cert-manager:admin
          - d8:user-authz:cert-manager:cluster-editor
          - d8:user-authz:cert-manager:editor
          - d8:user-authz:cert-manager:user
          - d8:user-authz:cloud-provider-openstack:cluster-admin
          - d8:user-authz:cloud-provider-openstack:user
          - d8:user-authz:ingress-nginx:cluster-editor
          - d8:user-authz:ingress-nginx:editor
          - d8:user-authz:node-manager:cluster-admin
          - d8:user-authz:node-manager:cluster-editor
          - d8:user-authz:node-manager:user
          - d8:user-authz:prometheus-metrics-adapter:cluster-editor
          - d8:user-authz:prometheus-metrics-adapter:editor
          - d8:user-authz:prometheus-metrics-adapter:user
          - d8:user-authz:prometheus:cluster-editor
          - d8:user-authz:prometheus:editor
        clusterEditor:
          - d8:user-authz:cert-manager:cluster-editor
          - d8:user-authz:cert-manager:editor
          - d8:user-authz:cert-manager:user
          - d8:user-authz:cloud-provider-openstack:user
          - d8:user-authz:ingress-nginx:cluster-editor
          - d8:user-authz:ingress-nginx:editor
          - d8:user-authz:node-manager:cluster-editor
          - d8:user-authz:node-manager:user
          - d8:user-authz:prometheus-metrics-adapter:cluster-editor
          - d8:user-authz:prometheus-metrics-adapter:editor
          - d8:user-authz:prometheus-metrics-adapter:user
          - d8:user-authz:prometheus:cluster-editor
          - d8:user-authz:prometheus:editor
        editor:
          - d8:user-authz:cert-manager:editor
          - d8:user-authz:cert-manager:user
          - d8:user-authz:cloud-provider-openstack:user
          - d8:user-authz:ingress-nginx:editor
          - d8:user-authz:node-manager:user
          - d8:user-authz:prometheus-metrics-adapter:editor
          - d8:user-authz:prometheus-metrics-adapter:user
          - d8:user-authz:prometheus:editor
        privilegedUser:
          - d8:user-authz:cert-manager:user
          - d8:user-authz:cloud-provider-openstack:user
          - d8:user-authz:node-manager:user
          - d8:user-authz:prometheus-metrics-adapter:user
        user:
          - d8:user-authz:cert-manager:user
          - d8:user-authz:cloud-provider-openstack:user
          - d8:user-authz:node-manager:user
          - d8:user-authz:prometheus-metrics-adapter:user
      clusterAuthRuleCrds:
      - name: editor-crd
        spec:
          accessLevel: Editor
          subjects:
          - kind: Group
            name: Editors
      - name: user-crd
        spec:
          accessLevel: User
          subjects:
          - kind: Group
            name: Everyone
      - name: admin-crd
        spec:
          accessLevel: ClusterEditor
          allowScale: false
          portForwarding: true
          subjects:
          - kind: Group
            name: NotEveryone
      authRuleCrds:
      - name: editor-crd
        namespace: editor
        spec:
          accessLevel: Editor
          subjects:
          - kind: Group
            name: Editors
      - name: user-crd
        namespace: user
        spec:
          accessLevel: User
          subjects:
          - kind: Group
            name: Everyone
      - name: admin-crd
        namespace: admin
        spec:
          accessLevel: Admin
          allowScale: false
          portForwarding: true
          subjects:
          - kind: Group
            name: NotEveryone
